Microsoft.KeyVault vaults 2015-06-01

Template format

To create a Microsoft.KeyVault/vaults resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2015-06-01",
  "location": "string",
  "tags": {},
  "properties": {
    "vaultUri": "string",
    "tenantId": "string",
    "sku": {
      "family": "A",
      "name": "string"
    },
    "accessPolicies": [
      {
        "tenantId": "string",
        "objectId": "string",
        "applicationId": "string",
        "permissions": {
          "keys": [
            "string"
          ],
          "secrets": [
            "string"
          ],
          "certificates": [
            "string"
          ]
        }
      }
    ],
    "enabledForDeployment": "boolean",
    "enabledForDiskEncryption": "boolean",
    "enabledForTemplateDeployment": "boolean",
    "enableSoftDelete": "boolean"
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.KeyVault/vaults object

Note

In Bicep, type and apiVersion are specified in the first line of the resource declaration. Use the format <type>@<apiVersion>. Don't set those properties in the resource body.

Name Type Required Value
name string Yes Name of the vault
type enum Yes For JSON - Microsoft.KeyVault/vaults
apiVersion enum Yes For JSON - 2015-06-01
location string Yes The supported Azure location where the key vault should be created.
tags object No The tags that will be assigned to the key vault.
properties object Yes Properties of the vault - VaultProperties object

VaultProperties object

Name Type Required Value
vaultUri string No The URI of the vault for performing operations on keys and secrets. This property is readonly.
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
sku object Yes SKU details - Sku object
accessPolicies array Yes An array of 0 to 1024 identities that have access to the key vault. All identities in the array must use the same tenant ID as the key vault's tenant ID. - AccessPolicyEntry object
enabledForDeployment boolean No Property to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabledForDiskEncryption boolean No Property to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabledForTemplateDeployment boolean No Property to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
enableSoftDelete boolean No Property to specify whether the 'soft delete' functionality is enabled for this key vault.

Sku object

Name Type Required Value
family enum Yes SKU family name - A
name enum Yes SKU name to specify whether the key vault is a standard vault or a premium vault. - standard or premium

AccessPolicyEntry object

Name Type Required Value
tenantId string Yes The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. - globally unique identifier
objectId string Yes The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
applicationId string No Application ID of the client making request on behalf of a principal - globally unique identifier
permissions object Yes Permissions the identity has for keys, secrets and certificates. - Permissions object

Permissions object

Name Type Required Value
keys array No Permissions to keys - all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, purge
secrets array No Permissions to secrets - all, get, list, set, delete, backup, restore, recover, purge
certificates array No Permissions to certificates - all, get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Create an API Management service with SSL from KeyVault

Deploy to Azure
This template deploys an API Management service configured with User Assigned Identity. It uses this identity to fetch SSL certificate from KeyVault and keeps it updated by checking every 4 hours.
Create an Application Gateway V2 with Key Vault

Deploy to Azure
This template deploys an Application Gateway V2 in a Virtual Network, a user defined identity, Key Vault, a secret (cert data), and access policy on Key Vault and Application Gateway.
Create an Azure Key Vault and a secret

Deploy to Azure
This template creates an Azure Key Vault and a secret.
Create an Azure Machine Learning service workspace.

Deploy to Azure
This template creates an Azure Machine Learning service workspace.
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Connect to a Key Vault via private endpoint

Deploy to Azure
This sample shows how to use configure a virtual network and private DNS zone to access Key Vault via private endpoint.
Create a Key Vault and a list of secrets

Deploy to Azure
This template creates a Key Vault and a list of secrets within the key vault as passed along with the parameters
Create Key Vault with logging enabled

Deploy to Azure
This template creates an Azure Key Vault and an Azure Storage account that is used for logging. It optionally creates resource locks to protect your Key Vault and storage resources.
Advanced template for Azure Machine Learning workspace

Deploy to Azure
A template that creates Azure Machine Learning workspace with private endpoints and resources behind VNET
Create an AKS compute target with a Private IP address.

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Continuous Deployment to VM Scale Sets with Jenkins and Spinnaker

Deploy to Azure
This template allows you to deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Continuous Deployment to VM Scale Sets using Spinnaker

Deploy to Azure
This template allows you to install Spinnaker on VM or AKS. Specifically, as for the VM scenario you can deploy and configure a DevOps pipeline from an Aptly repository to a VM Scale Set in Azure.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create a KeyVault

Deploy to Azure
This module allows you to create a KeyVault.
SAS 9.4 and Viya Quickstart Template for Azure

Deploy to Azure
The SAS® 9.4 and Viya QuickStart Template for Azure deploy these products on the cloud: SAS® Enterprise BI Server 9.4, SAS® Enterprise Miner 15.1, and SAS® Visual Analytics 8.5 on Linux, and SAS® Visual Data Mining and Machine Learning 8.5 on Linux for Viya. This QuickStart is a reference architecture for users who wants to deploy the combination of SAS® 9.4 and Viya on Azure using cloud-friendly technologies. By deploying the SAS® platform on Azure, you get an integrated environment of SAS® 9.4 and Viya environments so you can take advantage of both worlds. SAS® Viya is a cloud-enabled, in-memory analytics engine. It uses elastic, scalable, and fault-tolerant processing to address complex analytical challenges. SAS® Viya provides faster processing for analytics by using a standardized code base that supports programming in SAS®, Python, R, Java, and Lua. It also supports cloud, on-premises, or hybrid environments and deploys seamlessly to any infrastructure or application ecosystem.